Shared Responsibility? Barracuda Study Reveals Public Cloud Customers Just Don’t Get It

Oct 24, 2017

We all know public cloud adoption is on the rise. The benefits of greater IT efficiency, business agility, scalability and cost savings are undeniable, yet for many security remains the key barrier to adoption. That’s not surprising given the range of threats facing firms today – from data-stealing malware to ransomware and targeted attacks. As new Barracuda Networks research reveals, 60% of EMEA organisations have already been targeted by a cyber attack, and a quarter (26%) expect it will happen – so the stakes couldn’t be higher.

However, as the survey also reveals, the core problem for all stakeholders is IT buyer confusion over whose responsibility cloud security is. Misconceptions here over how big a security burden the provider should bear could not only be holding back public cloud adoption but in a worst-case scenario could leave organizations dangerously exposed to attacks.

Security concerns restrict growth

The poll of 550 EMEA IT decision makers using public IaaS installations tells us firstly that the amount of infrastructure they’re putting in the cloud will rise from 35% currently to 63% in the next five years, although the UK is notably in the last place with current adoption (29%). Most run a mix of mainly external facing (60%) and some internally facing (38%) apps, covering everything from data storage and recovery to analytics, CRM systems, and testing.

However, less than half (43%) said they felt totally confident that their organization’s move to the public cloud was secure, with the figure dropping to less than a third (31%) in the UK. As a result, two-thirds (64%) of EMEA respondents claimed that security concerns are restricting their migration to the public cloud, a figure rising to 70% in the ultra-cautious UK. The impact of cyber attacks isn't the only consideration here. Organizations are also concerned about regulatory compliance – especially ahead of the GDPR deadline next May – shadow IT, the lack of an expert security partner, and much more.

Whose responsibility?

The root cause of many public cloud concerns is a lack of clarity over the shared responsibility model. Many IT buyers assume that because they’re effectively outsourcing the running of their infrastructure to a trusted third party, the provider will take care of everything. This simply isn’t the case. Amazon Web Services is very clear, stating that it will address security “of” the cloud – compute, storage, database, networking, and global infrastructure including edge location and availability zones. But the customer is 100% responsible for security “in” the cloud – data, apps, identity management, OS, network and firewall configuration, network traffic, server-side encryption, and client-side data.

This is problematic when one considers the answers to the Barracuda Networks survey, in which the vast majority of IT leaders claimed that their public IaaS provider is responsible for securing customer data in the public cloud (64%), securing applications (61%) and operating systems (60%). This is completely at odds with what AWS, Microsoft, and others say, exposing countless organsations to unnecessary risk. The fact that 61% across EMEA claim to fully understand their cloud obligations further underlines the dangerous disconnect between perception and reality when it comes to public cloud security.

Responsibility starts here

The good news is that, despite this misunderstanding about roles and responsibilities in public cloud security, over half of respondents (57%) said they’d already invested in additional security to their cloud environment to protect it during access. But the truth is that IT decision makers need to think about the whole gamut of security controls.

How do you choose a provider? As always, it pays to do as much due diligence up front as possible. Things to look out for are centralised management tools; 24/7 support; and easy provisioning, configuration, and deployment directly from the cloud vendor. This will save you time and money on integration and make life easier if you’re running a hybrid cloud set-up.

As for those security controls, overall you need to ensure you have a 360 protection: detect, protect and recover, which should be the three pillars to ensure your most important assets are protected.